Xwiki Xwiki-Platform vulnerabilities
227 known vulnerabilities affecting xwiki/xwiki-platform.
Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3
Vulnerabilities
Page 7 of 12
CVE-2024-21648P3HIGHCVSS 8.8v>= 1.0, < 14.10.17v>= 15.0-rc-1, < 15.5.3+1 more2024-01-09
CVE-2024-21648 [HIGH] CWE-274 CVE-2024-21648: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The rollback action is missing a right protection, a user can rollback to a previous version of the page to gain rights they don't have anymore. The problem has been patched in XWiki 14.10.17, 15.5.3 and 15.8-rc-1 by ensuring that the rights are ch
nvd
CVE-2023-45135P3HIGHCVSS 8.0v>= 7.2-milestone-2, < 14.10.12v>= 15.0-rc-1, < 15.5-rc-12023-10-25
CVE-2023-45135 [HIGH] CWE-116 CVE-2023-45135: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In `org.xwiki.platform:xwiki-platform-web` versions 7.2-milestone-2 until 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, it is possible to pass a title to the page creation action that isn't
nvd
CVE-2025-49582P3HIGHCVSS 8.0v>= 15.9-rc-1, < 16.4.7v>= 16.5.0-rc-1, < 16.10.3+1 more2025-06-13
CVE-2025-49582 [HIGH] CWE-357 CVE-2025-49582: XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicio
XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious cont
nvd
CVE-2025-32973P3CRITICALCVSS 9.0v>= 15.9-rc-1, < 15.10.12v>= 16.0.0-rc-1, < 16.4.3+1 more2025-04-30
CVE-2025-32973 [CRITICAL] CWE-862 CVE-2025-32973: XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning th
nvd
CVE-2025-32974P3CRITICALCVSS 9.0v>= 15.9-rc-1, < 15.10.8v>= 16.0.0-rc-1, < 16.2.02025-04-30
CVE-2025-32974 [CRITICAL] CWE-116 CVE-2025-32974: XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due t
nvd
CVE-2023-48240P3HIGHCVSS 8.8v>= 11.10.1, < 14.10.15v>= 15.0-rc-1, < 15.5.1+1 more2023-11-20
CVE-2023-48240 [HIGH] CWE-201 CVE-2023-48240: XWiki Platform is a generic wiki platform. The rendered diff in XWiki embeds images to be able to co
XWiki Platform is a generic wiki platform. The rendered diff in XWiki embeds images to be able to compare the contents and not display a difference for an actually unchanged image. For this, XWiki requests all embedded images on the server side. These requests are also sent for images from other domains and include all cookies that were sent in the or
nvd
CVE-2024-31986P3HIGHCVSS 8.8v>= 3.1, < 14.10.19v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31986 [HIGH] CWE-95 CVE-2024-31986: XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15
XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is
nvd
CVE-2022-36090P3HIGHCVSS 8.1v>= 1.1, < 13.10.5v>= 14.0, < 14.3-RC-12022-09-08
CVE-2022-36090 [HIGH] CWE-285 CVE-2022-36090: XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to vers
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources h
nvd
CVE-2023-29202P3CRITICALCVSS 9.0v>= 1.8, <= 3.0.1fixed in 14.6-rc-12023-04-15
CVE-2023-29202 [CRITICAL] CWE-79 CVE-2023-29202: XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macr
XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter `content` was set to `true`. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scri
nvd
CVE-2022-31166P3HIGHCVSS 8.8v>= 11.3.7, < 13.10.4v>= 14.0-rc-1, < 14.2-rc-12022-09-07
CVE-2022-31166 [HIGH] CWE-269 CVE-2022-31166: XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in v
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups whic
nvd
CVE-2023-26472P3HIGHCVSS 8.8v>= 6.2-milestone-1, < 13.10.10v>= 14.0, < 14.4.6+1 more2023-03-02
CVE-2023-26472 [HIGH] CWE-116 CVE-2023-26472: XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any
XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for users not having edit right. The issue has been patched in XWiki 14.9, 14.4.
nvd
CVE-2022-41928P3HIGHCVSS 8.8v>= 5.0-milestone-1, < 13.10.7v>= 14.0.0, < 14.4.22022-11-23
CVE-2022-41928 [HIGH] CWE-95 CVE-2022-41928: XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('E
XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. This has been patched in versions 13.10.7, 14.4.2, and 14.5. The issue can be fixed on a running wik
nvd
CVE-2023-26474P3HIGHCVSS 8.8v>= 13.10, < 13.10.11v>= 14.0, < 14.4.7+1 more2023-03-02
CVE-2023-26474 [HIGH] CWE-284 CVE-2023-26474: XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right
XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.
nvd
CVE-2025-58049P3HIGHCVSS 7.5v>= 14.4.2, < 16.4.8v>= 16.5.0-rc-1, < 16.10.7+1 more2025-08-28
CVE-2025-58049 [HIGH] CWE-212 CVE-2025-58049: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't
nvd
CVE-2023-29213P3HIGHCVSS 8.8v>= 4.2-milestone-3, < 13.10.11v>= 14.0-rc-1, < 14.4.7+1 more2023-04-17
CVE-2023-29213 [HIGH] CWE-74 CVE-2023-29213: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of `org.xwiki.platform:xwiki-platform-logging-ui` it is possible to trick a user with programming rights into visiting a constructed url where e.g., by embedding an image with this URL in a document that is viewed by a user with
nvd
CVE-2023-46242P3HIGHCVSS 8.8v>= 1.0, < 14.10.72023-11-07
CVE-2023-46242 [HIGH] CWE-94 CVE-2023-46242: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users a
nvd
CVE-2023-34465P3HIGHCVSS 8.1v>= 11.8-rc-1, < 14.4.8v>= 14.5, < 14.10.6+1 more2023-06-23
CVE-2023-34465 [HIGH] CWE-269 CVE-2023-34465: XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.
XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. Th
nvd
CVE-2025-29924P3HIGHCVSS 7.5v>= 6.1-rc-1, < 15.10.14v>= 16.0.0-rc-1, < 16.4.6+1 more2025-03-19
CVE-2025-29924 [HIGH] CWE-269 CVE-2025-29924: XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possibl
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific
nvd
CVE-2022-41930P3HIGHCVSS 8.2v>= 12.4, < 13.10.7v>= 14.0.0, < 14.4.22022-11-23
CVE-2022-41930 [HIGH] CWE-862 CVE-2022-41930: org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable user
org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. The problem has be
nvd
CVE-2022-24821P3HIGHCVSS 8.1v> 3.1M12022-04-08
CVE-2022-24821 [HIGH] CWE-648 CVE-2022-24821: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create t
nvd